Confirmed by code inspection.
When sending a FLUSH command to a slot without a drive (s->bs == NULL),
ide_flush_cache() directly calls ide_flush_cb() to return completion. However,
the latter doesn't care to check for s->bs == NULL before using it, so it
crashes.
Upstream still contains the same bug.

Although we found another new bug about iofuzz testing [1], but the bt log is different with this bug. So we will verify this bug first and track the new issue in bug 1133393.
[1] Bug 1133393 - qemu core dump on iofuzz test

Hi, Kevin
Could you help check comment 10? We verified this bug on comment 7, and the issue could not be reproduced. Currently we are executing a round of bug re-verifcation work, and hit the issue in comment 10.
Thanks,
Qunfang

Comment 10 describes a separate bug, so please file a new BZ for it. Unfortunately
the crash message at the beginning has been truncated from the report, so I can't
see what really happened. I suppose it's a divison by zero. If the core dump is
still available, can you also paste the result of 'p *s' into the description
of the new BZ, please?

(In reply to Kevin Wolf from comment #12)
Hello Kevin,
As finding another core dump, I filed two bz as below:
1136878 qemu core dump on iofuzz test on qemu version 442
1136894 qemu core dump on iofuzz test on qemu version 442(virtio-net-vhost)
Thank you for the explain

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note

You need to
log in
before you can comment on or make changes to this bug.